[ Tuesday, March 17, 2009 ]
New Provisions under the Stimulus Bill: what about business associates?
Here's my take:
Business Associates Now Covered, Too. Under the original structure of HIPAA, only healthcare providers, health plans, and healthcare clearinghouses were “covered entities;” the vendors and other parties with which they dealt, and which received “protected health information” or PHI from them, were not directly covered by HIPAA, and therefore could not be directly prosecuted for a HIPAA breach. Rather, HIPAA required covered entities to enter into “business associate agreements” (or “BAAs”) these “business associates” to restrict the business associate’s use of the information and effectively apply HIPAA to the business associate via contract. ARRA explicitly (although somewhat inartfully ) directly applies the same HIPAA requirements that are applicable to covered entities to their “business associates.” If a business associate breaches a BAA, it will not simply be at risk of a breach of contract action; rather it will be directly subject to prosecution under HIPAA.
Jeff [5:21 PM]
Blogger: HIPAA Blog - Edit your Template